What is a penetration test?

A penetration test is a simulation of a malicious attack on a computer system, a network or an organisation under real-world conditions. The penetration test allows you to determine the resistance of your computer system against real attacks.

Testing and compliance validation are essential parts of the development cycle in nearly all fields involving complex systems and their development. SSL247® carries out penetration tests on not only your system and network, but also any related IT devices.

A logical penetration test with the help of an e-mail campaign during social engineering

The goal is to identify the most relevant security loopholes in order to develop a realistic attack scenario aiming to escalate privileges on the network. These privileges would make for an attacker to gain access or obtain particular information.

Our teams place emphasis on extending the penetration scenario as broad as possible. This allows the testing to be as realistic as possible, and covers more elements of your infrastructure.

For most internal penetration tests, our consultants intervene on site and work autonomously based on the access provided to them.

Possible testing strategies include:

the use of lower level access credentials, such as for a visitor or guest, where the user may only be granted access to an internet connection.

more specific access options, such as a "standard office" access or the common access that is granted to all employees.

The phases of an internal penetration test are as follows:

Discovery Phase

Aims to obtain the maximum amount of information about the internal network from the physical access gained. This results in passive listening of traffic (the interactions with network and server devices).

Mapping Phase

The goal is to obtain as much information as possible about different targets in order to identify the attack surface and render the attacks more effective. Our team has developed tools that automate a part of this phase, allowing more time for focusing on manual testing.

Penetration Phase

This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing.

Exploitation Phase

This is another major phase of internal penetration testing where vulnerabilities are identified and the increasing elevation of access level can be achieved. The "classic" exploitation phase starts with a vulnerability that allows a machine (workstation or server) to be controlled and ends with the takeover of the domain or machine cluster. This attack pattern replicates a realistic scenario of exploration and lateral movement aimed at data extraction.

Penetration Tests - External

External Penetration Testing

An external penetration test imitates the real actions of a hacker that does not start with access to your internal network. The pentester will attack from the outside, via the Internet, without necessarily knowing any details about your organisation's information infrastructure.

External penetration testing consists of searching for vulnerabilities that are present in your infrastructure (that is accessible from the internet) and choosing the least risky, most discreet and most efficient method to gain access to it.

Prerequisites

This type of testing only requires an IP address range and a test authorisation for each host included in the area to be provided.

Simulation of a real attack and its impacts

If necessary, we can attempt an escalation of privilege, allowing the test to extend into networks that are inaccessible from the internet (your internal network, for example). The test will be extended in search of a target, or of sensitive elements. This simulates a real penetration scenario by an attacker targeting your infrastructure.

A valuable resource for decision making

These tests allow the challenging of security of all infrastructure components, including those which are not necessarily visible from the Internet, such as the filtering equipment.

Once the recommendations from the detailed report are evaluated, decision makers are more able to line up their choices, for example, reinforcing the network separation or concentrating efforts on development security.

Reconnaissance Phase

Multiple searches from public sources are undertaken to find information leaks that could be used to establish an attack: These may include search engines, DNS, Whois, pastebin-like etc.

Mapping Phase

The goal is to get as much information as possible on different targets in order to identify the attack surface and render the attacks more effective. Each service is retrieved and categorised to help with processing it in the following penetration phase. This step also makes it possible to identify the borrowed network path and thus potentially the equipment that filters the system and application servers to be audited.

Penetration Phase

This phase identifies entry points on the internal network and any loopholes that facilitate the taking over of devices, and acquisition of data that identify other vulnerabilities. The penetration phase is a major phase of this type of testing:

Vulnerabilities on Web Services: exploiting vulnerabilities in a Web environment offers more interaction for an attacker than a simple third-party network service such as SMTP, FTP, or SSH. That's why we pay special attention and dedicate a particular methodology to testing Web applications.

Vulnerabilities on Third party Non-web services :in this case, configuration weaknesses are exploited and attempts such as enumerating passwords or using known exploits are carried out.

Exploitation Phase

This phase confirms the risk level of the identified vulnerabilities and provides visibility on the opportunities a hacker could have to exfiltrate confidential data and modify sensitive elements within your infrastructure. This phase materialises the penetration test and demonstrates the expertise of our consultants.

In this type of test, the exploitation phase often aims to transform a system / application vulnerability into a means of communication with the internal network. This is done to identify a way to compromise your internal network through an internet exposed infrastructure.

"Lateral movement" is another part of the exploitation phase that aims to simulate what an attacker would do once on the internal network, such as moving from the compromised web server to the database and then to the company's main directory.

These tests aim to determine whether a malicious attacker could compromise the security of your information system by targeting one or several applications hosted internally, within your IT infrastructure, and externally.

The function of both simple and complex applications will be identified and then manipulated, in an attempt to exploit or bypass their security. An audit of the web application and security of its configuration will be conducted to detect vulnerabilities that may have been created during the integration of the application.

Building on the OWASP methodologies, our teams have developed the following phases of testing:

Network and System Mapping

This phase was designed to identify the exposure of the server hosting the web application for thorough testing in subsequent phases.

This phase identifies services that are accessible and confirms the existence of server configuration errors.

This phase aims to identify vulnerabilities related to the server (such as Apache, IIS, Nginx) that hosts the web application and service.

Depending on the configuration settings and level of system/software updates, an attacker may be able to compromise the server and applications hosted within.

Application Penetration

This is the most important phase, and consumes the largest amount of a consultant’s time. This phase aims to challenge the security of the developed code or the solution that is already in place (for example a CMS) by testing each function in detail.

If an authenticated application penetration test is performed, this phase will also include a detailed security analysis of the various means of authentication and maintenance of the session. We will also verify if it is possible or not for the authentication mechanisms to be bypassed, and if the session data of each user are isolated or not.

Exploitation Phase

Each identified vulnerability is materialised by exploiting it, making it possible to obtain:

Confidential data: if an isolation defect occurs, for example, we will attempt to recover information on users other than those from a given account.

Server Control: it can be possible to extend testing to the internal network by obtaining a command prompt on the machine hosting the application. Through this, we can verify the execution of system commands.

Privileged access: the impersonation of a user’s identity will be attempted to try and gain greater access than that of the given account/user.

Discovery Phase

Based on the initial amount of information received, we will first try to identify all Wi-Fi networks belonging to you, to analyse the security technologies implemented and the architecture of the access points. This step evaluates the level of exposure and opacity of your Wi-Fi networks.

Network Mapping Phase

We begin by mapping out all access points on your networks. We will also make sure that foreign/unauthorised networks are not infringing upon your perimeter and that no unauthorised access points are present on your property.

Penetration Phase on Captive Portals

Once the perimeter is defined, we will try to discover possible access point vulnerabilities that may allow an attacker to gain a foothold on the internal network or to obtain sensitive information on your organisation and its services.

The purpose of this is to show the exploitability of the vulnerabilities and to determine the skill-level or competency required to exploit the vulnerabilities.

We will also prove the isolation (or lack thereof) of the network in comparison to other privileged networks.

Penetration phase on Private Access Points

If we discover that “company”, “enterprise” or “protected” networks are in use (networks that are intended for internal, and not public, use), we will try a range of attacks targeted at obtained access to these closed-off networks.

These attacks can target wireless clients (employees), with the aim of stealing login/access details that will give us access to the network.

Information Gathering

Between the Ethernet socket and the phone, itself, the goal is to obtain as much information as possible from the VoIP network.

Penetration Attempts on IP Phones

These tests are conducted to target IP phones and analyse their configuration and attack surface. The privacy and integrity of sensitive information exchanged between the phone and the infrastructure will be assessed. An attempt at compromising the network and available services will be made, including by gaining physical access to the IP phone (using identity theft methods, for example).

Penetration Attempts on Phone Infrastructure

These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.

Prerequisites

VoIP penetration tests generally take place on site, on your premises. We will only require access to one or a few phones to conduct the tests.

Phone Fraud: A risk with Strong Financial Implications

We are also able to conduct external testing on an answering or voicemail system, for example.

This test is composed of the following steps:

Information gathering

Information will be gathered from the available local network connection as well as a physical IP phone to obtain the maximum amount of information on the VoIP network

Penetration Attempts on IP Phones

In this step, IP phones will be targeted and their configuration and attack surface will be analysed to test the confidentiality and integrity of the data exchanged on the network between the telephones and the infrastructure.

Following this, a compromise of the available services will be attempted, including via physical access to the IP telephone.

Penetration attempts on the telephone infrastructure

These tests target the VoIP infrastructure and any systems and services accessible through the servers. The purpose is to identify security flaws and asses the competence level required to succeed in exploiting them. SSL247® will highlight the risks of wiretapping and fraud.

We are also able to analyse the causes and consequences following an attempt of fraud using the telephony infrastructure and how to prevent this risk.

The use of remote office environments is increasingly common in today’s professional world, and their security is often difficult to grasp. Therefore, we recommend that you test the security of any remote access services you use (such as VDI/Citrix/Remote Desktops).

Prerequisites

To perform this type of audit, we require the URL of the remote access service(s) and at least one set of authentication credentials used for the virtual application.

Isolation Assessment of Virtual Apps

Our attack simulation will aim mostly at evaluating the possibility of a malicious user breaking through access control restrictions, and thus gaining access to information and services they should not have access to.

Critical Threats

An attacker that can successfully “break through” to other aspects of your remote access service, exposes you to a new range of threats, such as theft of client or employee data, access to a database on your infrastructure or compromising of your domain.

These threats are generally underestimated, and our teams aim to highlight the importance of testing the remote access services you use.

Flexible Recommendations

Numerous solutions exist to offset the risk of use of these types of products. In our reports, we will prove you with the most suitable security recommendations to meet your usage needs of remote access services.

Mapping Phase

We will scan the network to identify use of any remote access services.

Application Partitioning Assessment Phase

In this phase, we assess the risk of an attacker extending their access beyond the access level intended for the user.

This will be done with an approach similar to that of an application penetration test.

Local Exploitation Phase

We will assess the privileges of the server and identify sensitive data.

Post-Exploitation Phase

We will move laterally on the internal network, attempting to comprise the centralised architecture.

Test Reports

Our reports are much more than a simple list of vulnerabilities generated with an automated tool. From the methodology and strategies employed to the traces of information, our reports provide as much information as possible, enabling your teams to understand and replicate the exploitation or verification of all identified vulnerabilities.

Norton seals are viewed more than half a billion times a day on more than 100,000 websites in 170 countries and in search results on enabled browsers, as well as partner shopping sites and product review pages. When website visitors see the Norton Trust Seal, they are less likely to abandon a transaction and more likely to do business with you online.